Software Engineering Institute

CWE-200: Information Exposure

When logged into the Websense Triton Unified Security Center 7.7.3 and possibly earlier versions with any permission level, it is possible to navigate to the “Log Database” or “User Directories” portions of the “Settings” module. In either section, it is possible to use a web browser to “Inspect Elements” within the page.

Password blocks are initially hashed within the page using the following form variable:
<input type=”password” id=”logDatabaseSettings:password” name =”logDatabaseSettings:password” maxlength=�· size=�·>

However, due to the lack of proper form construction and hashing of password credentials, it is possible to change the string to the following and reload the page:
<input type=”text” id=”logDatabaseSettings:password” name =”logDatabaseSettings:password” maxlength=�· size=�·>

Allowing the password credentials to be displayed in plain-text, along with the associated username.

An authenticated attacker can view stored credentials of a possibly higher privileged user.

Update

It has been reported that the vendor has addressed this vulnerability in Triton Unified Security Center 7.7.3 Hotfix 31. Affected users are advised to update to Triton Unified Security Center 7.7.3 Hotfix 31 or later.

The vendor has stated that the following products have also been updated to address this vulnerability.

• Web Security Gateway Anywhere v7.7.3 Hotfix 31
• Web Security Gateway v7.7.3 Hotfix 31
• Websense Web Security v7.7.3 Hotfix 31
• Websense Web Filter v7.7.3 Hotfix 31
• Windows and Websense V-Series appliances